Over
the past two years, 35 unique ransomware strains earned cybercriminals
$25 million, with Locky and its many variants being the most profitable.

The data comes from a study debuted Wednesday at Black Hat by Google,
Chainalysis, UC San Diego, and the NYU Tandom School of Engineering. The
study is unique in that it based calculations on bitcoin payments and
blockchains. The result allowed researchers to create a precise picture
of the ransomware ecosystem and who the top earners were, starting with
Locky at $7.8 million in payments from victims, followed by Cerber and
CryptXXX that earned $6.9 million and $1.9 million.

“Ransomware is here to stay and we will have to deal with for a long
time to come,” said Kylie McRoberts, a senior strategist with Google’s
Safe Browsing team.

The results show that the last two high-profile ransomware attacks,
WannaCry and NotPetya, were flops when it came earning money. “Petya,
NotPetya and other variants never earned money, because it was more
wiper malware – not true ransomware,” McRoberts said. She called the
wiper malware trend “the rise of the ransomware impostors.”

In contrast, researchers said Locky pulled in more than 28 percent of
the $25 million earned by ransomware since 2016.

Locky’s secret, according to Luca Invernizzi, a research scientist in
Google’s anti-abuse team, is that its authors focused on malware
development and finessing the supporting botnet infrastructure. Keeping
development separate from distribution allowed the malware to be spread
wider and faster than its competitors.

Cerber success has been its affiliate model, allowing it to sustain
income of $200,000 a month, McRoberts said.

Researchers
also singled out Spora as an up-and-coming ransomware to watch. They
said the malware sets itself apart integrating topnotch customer support
with features such as real-time chat to help victims navigate payments
and offering immunity packages to avoid getting hit by the ransomware
again in the future.

According to Google, the malware writers behind CyptoLocker, Locky and
Cerber have been getting better at evading detection by creating malware
that can automatically change binaries. The study found 23,000 unique
binaries for Cerber in 2017 and 6,000 for Locky. Of the samples Google
looked at, a total of 301,588 binaries were examined. That’s been key
when it comes to sneaking past antimalware protection, said Elie
Bursztein leads Google’s anti-abuse research.

Google researchers warned that in the year ahead ransomware-as-a-service
was going to become even more prevalent and so will the number of
impostors looking to cause more damage than extort money.